PT-2026-8366 · Smoothwall · Smoothwall Express

Ozer Goker

·

Published

2026-02-16

·

Updated

2026-02-16

·

CVE-2019-25383

CVSS v3.1
6.1
VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Smoothwall Express version 3.1-SP4-polar-x86 64-update9
Description The software contains multiple reflected cross-site scripting issues within the 
apcupsd.cgi
script. Attackers can inject malicious scripts by submitting crafted POST requests containing script payloads in several parameters. These parameters include 
BATTLEVEL
, 
RTMIN
, 
BATTDELAY
, 
TO
, 
ANNOY
, 
UPSIP
, 
UPSNAME
, 
UPSPORT
, 
POLLTIME
, 
UPSUSER
, 
NISPORT
, 
UPSAUTH
, 
EMAIL
, 
FROM
, 
CC
, 
SMSEMAIL
, 
SMTPSERVER
, 
PORT
, 
USER
, and 
EMAIL PASSWORD
. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of affected users.
Recommendations Smoothwall Express version 3.1-SP4-polar-x86 64-update9: Sanitize all input received through the POST parameters 
BATTLEVEL
, 
RTMIN
, 
BATTDELAY
, 
TO
, 
ANNOY
, 
UPSIP
, 
UPSNAME
, 
UPSPORT
, 
POLLTIME
, 
UPSUSER
, 
NISPORT
, 
UPSAUTH
, 
EMAIL
, 
FROM
, 
CC
, 
SMSEMAIL
, 
SMTPSERVER
, 
PORT
, 
USER
, and 
EMAIL PASSWORD
in the 
apcupsd.cgi
script to prevent the injection of malicious scripts.

Exploit

Fix

XSS

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-25383

Affected Products

Smoothwall Express